The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.

CVE-2022-24190: Automating Unsolicited Richard Pics; Pwning 60,000 Digital Picture Frames

By Waqas
The flaw is tracked as CVE-2022-40684 in FortiOS, while its exploit is being sold on a popular Russian hacker forum.
This is a post from HackRead.com Read the original post: Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs

While performing routine monitoring, Cyble’s Global Sensor Intelligence (GIS) discovered a threat actor is distributing unauthorized access to several Fortinet VPNs on a Russian cybercrime forum.

When they evaluated the access, researchers realized that the attacker was trying to add a new public key to the admin user’s account. Further probe revealed that the targeted organizations used outdated FortiOS software.

This indicated the attacker was managing authentication bypass by exploiting a channel or alternate path flaw tracked as **CVE-2022-40684** in FortiOS. This authentication bypass flaw lets an unauthorized/unauthenticated attacker exploits the administrative interface.

**Impacted Products and Firmware Versions**

According to Cyble’s research published on November 24, 2022, multiple **Fortinet** versions are affected by this flaw, including FortiOS, FortiProxy, and FortiSwitchManager. The vulnerability allows an attacker to perform operations on the “administrative interface” through specially created HTTPS or HTTP requests, Cyble’s **advisory** read.

As seen by Hackread.com, another threat actor on the same Russian hacker forum is currently offering the same Fortinet VPN exploit. In a listing published earlier today, the threat actor cited Censys’s search that showed there are over 400,000 exposed devices.

According to Cyble’s researchers, the following are the impacted versions of FortinetOS.

1.  FortiProxy version 7.2.0
2.  FortiSwitchManager version 7.2.0
3.  FortiSwitchManager version 7.0.0
4.  FortiOS version 7.0.0 through 7.0.6
5.  FortiOS version 7.2.0 through 7.2.1
6.  FortiProxy version 7.0.0 through 7.0.6

**Vulnerability Details**

Research revealed that Fortinet software had been targeted since 17 October 2022. The attacker exploits the controlling mechanism of a function to target impacted versions of Fortinet products.

The function evaluates the affected devices’ access to another functionality called REST API. The attacker adds an SSH key to the admin account when exploiting the flaw to access SSH and invade the impacted system as admin.

To further compromise the system, the threat actor will modify the admin user’s SSH key and log in to the infected system. Then they would add new local users and update networking configurations for rerouting traffic. Next, the attacker downloads the system configuration and initiates packet captures for capturing sensitive system information.

**The Dark Web Connection**

According to researchers, there are over a hundred thousand internet-exposed FortiGate firewalls that are under the radar of attackers and vulnerable to the flaw. Given the sheer number of exposed products, the vulnerability was categorized as critical.

Researchers suspect that sensitive system data, configuration information, and network details might be shared over **the Dark Web**. That’s because the attacker can add or update a valid public SSH key to the targeted account on a system and gain full access to that system.

Moreover, the attacker may launch additional attacks against the remaining IT ecosystem of the organization after obtaining information via exploitation of this flaw. They are distributing initial access over the **Dark Web**, which has been used in several high-profile attacks lately.

1.  **Russia Hackers Abusing BRc4 Red Team Penetration Tool**
2.  **34 Russian Hacking Groups Stole 50 Million User Passwords**
3.  **Hackers leak login credentials of vulnerable Fortinet SSL VPNs**
4.  **Hackers Selling US Colleges VPN Credentials on Russian Forums**
5.  **Data of 21M SuperVPN, and GeckoVPN users leaked on Telegram**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs


Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.



Es conveniente leer la información siguiente antes de actualizar a esta versión

**

**Información importante sobre los ejecutables de 32 bits para Windows**



**

Esta es la última versión en la que se distribuirán los ejecutables de 32 bits para Windows.

**

**Los comandos y opciones de compactar y vaciar tabla estaban disponibles solamente en servidores cloud y con suscripción (Resuelta en 32.1)**



**

**

Nuevo sistema de activación de licencias de Velneo vServer



**

A partir de la versión 32 cambia el sistema de licenciamiento y las licencias se activarán desde

Velneo vAdmin

. Haz clic

aquí

para ampliar información al respecto.

En mi Velneo, ahora verás que una licencia tiene dos códigos distintos, uno con el formato **VLS-XXXX-XXX**, que será el que se deberá usar para activarla con la versión 32 y superiores y el otro, que usaremos cuando queramos activarla en servidores de la versión 31 o anteriores, que se seguirá activando con

Velneo vActivator

.

**

A partir de esta versión todos los servidores arrancarán con protocolo VATPS



**

El

protocolo VATPS

permite establecer conexiones seguras estándar TLS/SSL lo que provee de privacidad e integridad a las comunicaciones en red entre todos los componentes de Velneo. Es decir, no solo la comunicación se envía cifrada entre los componentes, si no que es inviolable, ya que garantiza que nadie puede modificar la información que se transmite, además de garantizarnos con qué servidor nos hemos conectado.

**

Incidencia con controles dibujo en dispositivos con procesadores Apple Silicon con sistema operativo Ventura



**

Hemos detectado una incidencia que produce un efecto de ralentización del interfaz la primera vez durante unos segundos cuando visualizamos o editamos un formulario con un control dibujo/objeto dibujo. Parece una incidencia de sistema operativo, ya que este efecto se produce también en versiones anteriores ya publicadas en las que no se observaba ese comportamiento y ha comenzado a producirse tras la última actualización de macOS Ventura en equipos con procesadores Apple Silicon.

**

Mejoras de seguridad en validación de usuario y contraseña



**

Con el fin de mejorar la seguridad del

inicio de sesión

en Velneo, se evita enviar el hash de la contraseña, sustituyendo el sistema de login con uno más moderno y seguro.

En breve, aparecerá publicado en

CVE

con el fin de advertir y propiciar la actualización a esta versión.

**

Funciones remotas y compatibilidad con versiones anteriores de Velneo



**

Por defecto, un servidor de la 32 no permite recibir peticiones de ejecución de funciones remotas desde versiones anteriores. En el caso de que queramos hacer esto posible, debemos una clave beta en la máquina donde tengamos instalado el servidor de la versión 32.

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración de sistema: Escribir cadena de texto

para establecerlos, ejecutándolo en 3er plano. Los parámetros se resolverán como indicamos a continuación:

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" ):

*   **Clave**: enableRetrocompatibildadFuncionesRemotas
    

*   **Valor**: 3BFD2F9B103174596FF78C23CE8DDE77EC917BEA
    

**

Rejillas: la CSS que se aplica a los ítems de rejillas, se aplican también a las columnas de campos de tipo objeto texto y objeto dibujo



**

En versiones anteriores no se aplicaban correctamente las CSS de ítem de

rejilla

en columnas de campos de tipo objeto texto enriquecido y objeto dibujo; ahora hemos mejorado la plataforma para que también las aplique.

Al aplicar el ajuste del texto (wordwrap) en una CSS, el ajuste en textos largos puede resultar distinto.

**

Cómo activar la nueva interfaz Velneo vAdmin



**

Velneo vAdmin estrena nueva interfaz. Para probarla no tienes más que

activarla

.

**

Funcionalidades no disponibles en la nueva interfaz de Velneo vAdmin y en Velneo vAdmin Web



**

*   Alta y modificación de
    
    disco
    
    .
    

**

Mejoras de rendimiento en beta



**

Si quieres disfrutar de la versión beta de estas opciones, debes activar ciertas claves beta correspondiente en el cliente (en el caso de los objetos de interfaz) y también en el servidor (en el caso de procesos).

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración del sistema: escribir cadena texto

para establecerlos, ejecutándolo en 1º y 3º plano según corresponda. Los parámetros se resolverán como indicamos a continuación

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" )

Ejecutar la aplicación, lanzar el proceso en primero y/o tercer plano, según corresponda.

En el ámbito del cliente, las claves serán operativas en siguientes sesiones que se lancen del mismo.

En el ámbito del servidor, las claves serán operativas en cuanto se reinicie.

Estas son las distintas claves beta que podemos configurar:

*   ​
    
    Rejillas
    
    estándar, carga y movimiento optimizado (requiere el
    
    estilo
    
    _Optimizado_):
    
    *   **Clave**: optimizarRejillasClient
        
    
    *   **Valor**: 8DF627183E075E86BADCF82C11D4F931E8BF62D8
        
    

*   *   **Clave**: optimizarFormulariosClientFormulas
        
    
    *   **Valor**: ED979A19EEFC93EE0E4F58FB93F432BF258E1E33
        
    

*   Procesos, optimización de parámetros:
    
    *   **Clave**: optimizarInstruccion
        
    
    *   **Valor**: F15868161C0B05825E38ADE94001D5D9926CDFB7
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   *   **Valor**: 11B804B93A06DFED1838D5B21F309414B881EEDF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   Nuevo motor
    
    Javascript
    
    con optimización de memoria y concurrencia:
    
    *   **Clave**: enableSombrasJSClass
        
    
    *   **Valor**: F0835AF8367C2AE76BC7804F8183EEB5529C5ADF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

Última actualización 6mo ago

CVE-2021-45036: Notas de la versión

KnowBe4 empowers end users by introducing security awareness and compliance training on the go at no additional cost.

**TAMPA, Fla., Nov. 28, 2022 /PRNewswire/** — KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced it is launching the new KnowBe4 Mobile Learner App to empower end users by introducing security awareness and compliance training on the go at no additional cost to customers, improving user engagement and strengthening security culture.

With a large majority of the world's population using smartphones today, mobile training revolutionizes the way people learn. This new app will enable end users to complete their security awareness and compliance training conveniently from their tablets or smartphones, giving them 24/7/365 access.

"The KnowBe4 Mobile Learner App is the first of its kind to launch in the security awareness and compliance training space, making it easier than ever to train users while subsequently strengthening an organization's security culture," said Stu Sjouwerman, CEO, KnowBe4. "This new app will enable IT and security teams to improve engagement and completion rates for required training thanks to a seamless user experience. This will also help users to associate security with their personal devices, keeping it top of mind all the time rather than only when they are at work on their computers. We are making this substantial new capability available at no additional cost to all subscription levels as a show of our commitment to supporting our customers' security and human risk management objectives."

Based on subscription levels, KnowBe4 offers 100+ Mobile-First training modules that were designed specifically for mobile. The KnowBe4 Learner App supports push notifications for custom announcements, and updates on assigned training as well as KnowBe4 newsletters.

The app is available for iOS and Android, and free to all KnowBe4 customers with a KnowBe4 training platform subscription. For more information, visit https://www.knowbe4.com/mobile-learner-app.

**About KnowBe4**

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

SOURCE: KnowBe4

KnowBe4 Launches New Mobile Learner App for Cybersecurity Learning

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.

**The hard news:** they're often successful, have a long-lasting negative impact on your organization and employees, including:

*   Loss of Money
*   Reputation damage
*   Loss of Intellectual property
*   Disruptions to operational activities
*   Negative effect on company culture

**The harder news:** These often could have been easily avoided.

Phishing, educating your employees, and creating a cyber awareness culture? These are topics we're sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees' behavior and build organizational resilience to phishing attacks.

****Plan for total workforce training:****

According to the 2022 Tessian Security Cultures Report, "security leaders underestimate just how much they should be a part of the employee experience" across onboarding, role changes, offboarding, relocations, and day-to-day activities.

But we've repeatedly seen that ad hoc, scattershot employee training attempts don't work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.

Granted, it isn't easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees' level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.

****Apply Continuous Training****

Ever been told there'll be a fire evacuation drill? Likely, you weren't caught off guard when the practice started and could have paid more attention. That's the thing about drills; they're in place to prepare us for present and future threats.

Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.

It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.

**The solution:** Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.

****Deploy Adaptive Content****

You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group's needs - and even based on individual behavior. That's critical to adequately address the challenges of given scenarios of future attack campaigns.

These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization's specific role or department.

You strengthen employees' defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.

****Localize Your Cybersecurity Training****

English might be your corporate language, but it might not be every employee's mother tongue, and cultural contexts might be perceived differently in some branches.

Using employees' mother tongue within a location's cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.

Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations' training.

****Back Your Cyber Training with Data Science****

In our experience, one in every five employees is a "serial clicker." Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We've seen it all, from entry-level positions to company stakeholders.

They're not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn't have opened.

**The good news:** We believe serial clickers can be cured because we've seen it repeatedly happen with employee training and education.

We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It's recommended to use data science to understand how employee groups within your organization - from new hires, executive leadership, and veteran employees - respond to potential threats.

Once you analyze the data to understand these groups' behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.

These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees' privacy.

****Automate Your Cybersecurity Education****

Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you're looking at it from the perspective of time, resources, or economics, it's almost impossible without a truly automated solution that has expert knowledge baked into the software.

CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The 5 Cornerstones for an Effective Cyber Security Awareness Training

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information. 
The hard news: they're often successful, have a long-lasting negative impact on your organization and employees, including:

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.

**The hard news:** they're often successful, have a long-lasting negative impact on your organization and employees, including:

*   Loss of Money
*   Reputation damage
*   Loss of Intellectual property
*   Disruptions to operational activities
*   Negative effect on company culture

**The harder news:** These often could have been easily avoided.

Phishing, educating your employees, and creating a cyber awareness culture? These are topics we're sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees' behavior and build organizational resilience to phishing attacks.

****Plan for total workforce training:****

According to the 2022 Tessian Security Cultures Report, "security leaders underestimate just how much they should be a part of the employee experience" across onboarding, role changes, offboarding, relocations, and day-to-day activities.

But we've repeatedly seen that ad hoc, scattershot employee training attempts don't work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.

Granted, it isn't easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees' level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.

****Apply Continuous Training****

Ever been told there'll be a fire evacuation drill? Likely, you weren't caught off guard when the practice started and could have paid more attention. That's the thing about drills; they're in place to prepare us for present and future threats.

Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.

It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.

**The solution:** Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.

****Deploy Adaptive Content****

You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group's needs - and even based on individual behavior. That's critical to adequately address the challenges of given scenarios of future attack campaigns.

These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization's specific role or department.

You strengthen employees' defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.

****Localize Your Cybersecurity Training****

English might be your corporate language, but it might not be every employee's mother tongue, and cultural contexts might be perceived differently in some branches.

Using employees' mother tongue within a location's cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.

Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations' training.

****Back Your Cyber Training with Data Science****

In our experience, one in every five employees is a "serial clicker." Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We've seen it all, from entry-level positions to company stakeholders.

They're not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn't have opened.

**The good news:** We believe serial clickers can be cured because we've seen it repeatedly happen with employee training and education.

We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It's recommended to use data science to understand how employee groups within your organization - from new hires, executive leadership, and veteran employees - respond to potential threats.

Once you analyze the data to understand these groups' behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.

These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees' privacy.

****Automate Your Cybersecurity Education****

Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you're looking at it from the perspective of time, resources, or economics, it's almost impossible without a truly automated solution that has expert knowledge baked into the software.

CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

**SUMMARY**

A null pointer dereference vulnerability exists in the handle\_ioctl\_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Callback technologies CBFS Filter 20.0.8317

**PRODUCT URLS**

CBFS Filter - https://www.callback.com/cbfsfilter/

**CVSSv3 SCORE**

6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-476 - NULL Pointer Dereference

**DETAILS**

A windows device driver is almost like a kernel DLL that, once loaded, provides additional features. In order to communicate with these device drivers, Windows has a major component named Windows I/O Manager. The Windows IO Manager is responsible for the interface between user applications and device drivers. It implements I/O Request Packets (IRP) to enable the communication with the devices drivers, answering to all I/O requests. For more information see the Microsoft website.

The driver is responsible for creating a device interface with different functions to answer to specific codes, named major code function. If the designer wants to implement customized functions into a driver, there is one major function code named IRP_MJ_DEVICE_CONTROL. By handling such major code function, device drivers will support specific I/O Control Code (IOCTL) through a dispatch routine.

The Windows I/O Manager provides three different methods to enable the shared memory: Buffered I/O, Direct I/O, Neither I/O.  
Without getting into the details of the IO Manager mechanisms, the method Buffered I/O is often the easiest one for handling memory user buffers from a device perspective.  
The I/O Manager is providing all features to enable device drivers sharing buffers between userspace and kernelspace. It will be responsible for copying data back and forth.

Let’s see some examples of routines (which you should not copy as is) that explain how things work.  
When creating a driver, you’ll have several functions to implement, and you’ll find some dispatcher routines to handle different IRP as follows:

    extern "C"
    NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING RegistryPath)
    {
     [...]
            pDriverObject->DriverUnload = DriverUnload;
            pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIOctl;
            pDriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreate;
            pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverClose;
    [...]
    }
    

The DriverEntry is the function main for a driver. This is the place where initializations start.

We can see for example the pDriverObject which is a PDRIVER_OBJECT object given by the system to associate different routines, to be called against specific codes, into the Majorfunction table IRP_MJ_DEVICE_CONTROL for DriverIOctl etc.

Then later inside the driver you’ll see the implementation of the DriverIOctl routine responsible for handling the IOCTL code. It can be something like below:

    NTSTATUS DriverIOctl(PDEVICE_OBJECT pDevObject, PIRP pIrp)
    {
       [...]
        auto pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
        switch (pIrpSp->Parameters.DeviceIoControl.IoControlCode)
        {
    
        case IO_CREATE_EXAMPLE:
                ioctl_inbuffer_data = (ioctl_inbuffer*)pIrp->AssociatedIrp.SystemBuffer;
                auto InputBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
                auto OutputBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
         [...] some code
    
            pIrp->IoStatus.Information = 0;
            pIrp->IoStatus.Status = status;
    
            break;
         }
         
         pIrp->IoStatus.Information = some value;
         pIrp->IoStatus.Status = status;
         return status;
    }
    

First we can see the pIrp pointer to an IRP structure (the description would be out of the scope of this document). Keep in mind this pointer will be useful for accessing data.  
So here for example we can observe some switch-case implementation depending on the IoControlCode IOCTL. When the device driver gets an IRP with code value IO_CREATE_EXAMPLE, it performs the operations below the case. To get into the buffer data exchanged between userspace and kernelspace and vice-versa, we’ll look into SystemBuffer passed as an argument through the pIrp pointer.

On the device side, the pointer inside an IRP represents the user buffer, usually a field named Irp->AssociatedIrp.SystemBuffer, when the buffered I/O mechanism is chosen. The specification of the method is indicated by the code itself.  
On the userspace side, an application would need to gain access to the device driver symbolic link if it exists, then send some ioctl requests as follows:

    success  = ::DeviceIoControl(
        ghDevice,
        IO_CREATE_EXAMPLE,                  // control code
        &gpIoctl,                           // input buffer
        sizeof(struct ioctl_inbuffer),      // input buffer length
        &gpIoctl,                           // output buffer
        sizeof(struct ioctl_inbuffer),      // output buffer length
        &returned,
        nullptr
    );
    

Such a call will result in an IRP with a major code IRP_MJ_DEVICE_CONTROL and a control code to IO_CREATE_EXAMPLE. The buffer passed from userspace here as input gpIoctl, and output will be accessible from the device driver in the kernelspace via pIrp->AssociatedIrp.SystemBuffer. The lengths specified on the DeviceIoControl parameters will be used to build the IRP, and the device would be able to get them into the InputBufferLength and the OutputBufferLength respectively.

Now below we’ll see one example of sending a correct output buffer length directly without providing the driver some previous context which can lead to different behaviors and more frequently a local denial of service and blue screen of death through the usage of the device driver cbfilter20.

After the system has normally booted and the driver is running, sending an IOCTL 0x83150 with a valid buffer input size and some specific data length leads to the following situation

      CONTEXT:  ffff9c0ee2b66560 -- (.cxr 0xffff9c0ee2b66560)
        rax=0000000000001000 rbx=0000000000000000 rcx=0000000000000000
        rdx=ffffc408362e0a10 rsi=ffffc4083492a570 rdi=0000000000000000
        rip=fffff80258bc4eb4 rsp=ffff9c0ee2b66f60 rbp=ffff9c0ee2b67150
         r8=ffffc40839fe1a30  r9=0000000000083150 r10=fffff80258ba5780
        r11=0000000000000000 r12=ffffc4083a7740c0 r13=ffffc408362e0940
        r14=ffffc40839fe1a01 r15=0000000000000000
        iopl=0         nv up ei pl nz na pe nc
        cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050302
        cbfilter20!handle_ioctl_83150+0xd0:
        fffff802`58bc4eb4 488b4308        mov     rax,qword ptr [rbx+8] ds:002b:00000000`00000008=????????????????
        Resetting default scope
    
        PROCESS_NAME:  python.exe
    

When looking at pseudo code corresponding to the culprit function we can see the following:

    LINE1   __int64 __fastcall handle_ioctl_83150(_DEVICE_OBJECT *a1, PIRP a2)
    LINE2   {
            [...]
    LINE71    v3 = 0i64;
    LINE72    Object = 0i64;
    LINE73    v4 = 0;
    LINE74    SectionHandle = 0i64;
    LINE75    Handle = 0i64;
    LINE76    v48 = 0i64;
    LINE77    buffer_0x10000 = 0i64;
    LINE78    v50 = 0i64;
    LINE79    CurrentStackLocation = a2->Tail.Overlay.CurrentStackLocation;
    LINE80    SystemBuffer = (struct_SystemBuffer *)a2->AssociatedIrp.SystemBuffer;
    LINE81    if ( CurrentStackLocation->Parameters.DeviceIoControl.InputBufferLength != SystemBuffer->size_len + 0x20i64 )
    LINE82    {
    LINE83      l_FileObject = 0i64;
    LINE84  invalid_param:
    LINE85      v14 = STATUS_INVALID_PARAMETER;
    LINE86      goto LABEL_68;
    LINE87    }
    LINE88    FileObject = CurrentStackLocation->FileObject;
    LINE89    must_be_1 = SystemBuffer->must_be_1;
    LINE90    if ( (must_be_1 & 1) != 0 )
    LINE91    {
    LINE92      v4 = 1;
    LINE93      v11 = 0i64;
    LINE94      v12 = 4096i64;
    LINE95    }
    LINE96    else
    LINE97    {
    LINE98      if ( (must_be_1 & 2) == 0 )
    LINE99      {
    LINE100       l_FileObject = (__int64)CurrentStackLocation->FileObject;
    LINE101       goto invalid_param;
    LINE102     }
    LINE103     v11 = 4096i64;
    LINE104     v12 = 0i64;
    LINE105   }
    LINE106   v53 = v12;
    LINE107   MaxCount.QuadPart = v11;
    LINE108   v59 = v12;
    LINE109   v52 = v11;
    LINE110   FsContext2 = (__int64)FileObject->FsContext2;
    LINE111   v58 = FsContext2;
    LINE112   v39 = *(_QWORD *)(FsContext2 + 8);
    LINE113   v54 = v39;
    LINE114   v14 = ObReferenceObjectByHandle(SystemBuffer->handle, 0, 0i64, 0, &Object, 0i64);
    LINE115   v38 = v14;
    LINE116   if ( v14 < 0 )
    LINE117   {
    LINE118     Object = 0i64;
    LINE119     v3 = 0i64;
    LINE120 LABEL_9:
    LINE121     l_FileObject = v39;
    LINE122     goto free_buffer;
    LINE123   }
    LINE124   v15 = *((_QWORD *)Object + 4);
    LINE125   v40 = v15;
    LINE126   v55 = v15;
    LINE127   a2->IoStatus.Information = 0i64;
            [...]
    LINE380   a2->IoStatus.Status = v14;
    LINE381   return (unsigned int)v14;
    LINE382 }
    

The crash is happening at LINE110, while dereferencing FileObject->FsContext2. The issue is happening as there is no null check done against FileObject and is assumed to be always valid, which is not the case if the IRP packet is sent directly. The FileObject is derived directly from CurrentStackLocation at LINE88, which is derived itself from the IRP packet at LINE79. A specially-crafted I/O request packet bypassing the checks done at LINE80 & LINE90 will lead to denial of service immediately.

**Crash Information**

    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80258bc4eb4, Address of the instruction which caused the bugcheck
    Arg3: ffff9c0ee2b66560, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
        Key  : Analysis.CPU.mSec
        Value: 2608
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 3502
    
        Key  : Analysis.Init.CPU.mSec
        Value: 32186
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 670833
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 96
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
    
    BUGCHECK_CODE:  3b
    
    BUGCHECK_P1: c0000005
    
    BUGCHECK_P2: fffff80258bc4eb4
    
    BUGCHECK_P3: ffff9c0ee2b66560
    
    BUGCHECK_P4: 0
    
    CONTEXT:  ffff9c0ee2b66560 -- (.cxr 0xffff9c0ee2b66560)
    rax=0000000000001000 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffc408362e0a10 rsi=ffffc4083492a570 rdi=0000000000000000
    rip=fffff80258bc4eb4 rsp=ffff9c0ee2b66f60 rbp=ffff9c0ee2b67150
     r8=ffffc40839fe1a30  r9=0000000000083150 r10=fffff80258ba5780
    r11=0000000000000000 r12=ffffc4083a7740c0 r13=ffffc408362e0940
    r14=ffffc40839fe1a01 r15=0000000000000000
    iopl=0         nv up ei pl nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050302
    cbfilter20!handle_ioctl_83150+0xd0:
    fffff802`58bc4eb4 488b4308        mov     rax,qword ptr [rbx+8] ds:002b:00000000`00000008=????????????????
    Resetting default scope
    
    PROCESS_NAME:  python.exe
    
    STACK_TEXT:  
    ffff9c0e`e2b66f60 fffff802`58bbc878     : ffffc408`3492a570 ffffc408`362e0940 ffffeb80`01414701 00000000`00000000 : cbfilter20!handle_ioctl_83150+0xd0
    ffff9c0e`e2b67130 fffff802`58ba57f3     : c40839fe`00000000 ffffc408`362e0940 00000000`00000001 ffffc408`3492a570 : cbfilter20!DispatchDeviceControl+0x2d4
    ffff9c0e`e2b67160 fffff802`5509b7d5     : 00000000`0000000e 00000000`00000000 ffffc408`362e0940 00000000`00000001 : cbfilter20!fn_IRP_MJ_DEVICE_CONTROL+0x73
    ffff9c0e`e2b671c0 fffff802`55481a08     : ffff9c0e`e2b67540 ffffc408`362e0940 00000000`00000001 ffffc408`3ad7e0c0 : nt!IofCallDriver+0x55
    ffff9c0e`e2b67200 fffff802`554812d5     : 00000000`00083150 ffff9c0e`e2b67540 00000000`00000005 ffff9c0e`e2b67540 : nt!IopSynchronousServiceTail+0x1a8
    ffff9c0e`e2b672a0 fffff802`55480cd6     : 00007ff8`86a68e80 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x5e5
    ffff9c0e`e2b673e0 fffff802`55214ab5     : 00000000`00000000 00000000`00000000 00000000`00000000 000000e2`7d7ecb18 : nt!NtDeviceIoControlFile+0x56
    ffff9c0e`e2b67450 00007ff8`c726ce54     : 00007ff8`c4aab04b ffffffff`ff9c9830 00000000`00000000 000000e2`7d7eeb48 : nt!KiSystemServiceCopyEnd+0x25
    000000e2`7d7eea78 00007ff8`c4aab04b     : ffffffff`ff9c9830 00000000`00000000 000000e2`7d7eeb48 000000e2`7d7eec40 : ntdll!NtDeviceIoControlFile+0x14
    000000e2`7d7eea80 00007ff8`c6a05611     : 00000000`00083150 000000e2`7d7eec40 00000236`fb968d00 00007ff8`86b0694d : KERNELBASE!DeviceIoControl+0x6b
    000000e2`7d7eeaf0 00007ff8`86a4648c     : 00000000`00000022 000000e2`7d7eec40 000000e2`7d7eec40 00000000`00000001 : KERNEL32!DeviceIoControlImplementation+0x81
    000000e2`7d7eeb40 00000000`00000022     : 000000e2`7d7eec40 000000e2`7d7eec40 00000000`00000001 00000000`00000000 : win32file!PyInit_win32file+0xf98c
    000000e2`7d7eeb48 000000e2`7d7eec40     : 000000e2`7d7eec40 00000000`00000001 00000000`00000000 000000e2`00000000 : 0x22
    000000e2`7d7eeb50 000000e2`7d7eec40     : 00000000`00000001 00000000`00000000 000000e2`00000000 000000e2`7d7eeba0 : 0x000000e2`7d7eec40
    000000e2`7d7eeb58 00000000`00000001     : 00000000`00000000 000000e2`00000000 000000e2`7d7eeba0 00000000`00000000 : 0x000000e2`7d7eec40
    000000e2`7d7eeb60 00000000`00000000     : 000000e2`00000000 000000e2`7d7eeba0 00000000`00000000 000000e2`7d7eeba8 : 0x1
    
    
    SYMBOL_NAME:  cbfilter20!handle_ioctl_83150+d0
    
    MODULE_NAME: cbfilter20
    
    IMAGE_NAME:  cbfilter20.sys
    
    STACK_COMMAND:  .cxr 0xffff9c0ee2b66560 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  d0
    
    FAILURE_BUCKET_ID:  0x3B_c0000005_cbfilter20!handle_ioctl_83150
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {2a1744df-b799-38ae-0bd4-b13f23c537e7}
    
    Followup:     MachineOwner
    ---------
    

**TIMELINE**

2022-11-04 - Vendor Disclosure  
2022-11-04 - Initial Vendor Contact  
2022-11-22 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-43588: TALOS-2022-1647 || Cisco Talos Intelligence Group

A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

CVE-2022-43590: TALOS-2022-1649 || Cisco Talos Intelligence Group

A null pointer dereference vulnerability exists in the handle_ioctl_8314C functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

CVE-2022-43589: TALOS-2022-1648 || Cisco Talos Intelligence Group

Plus: WikiLeaks’ website is falling apart, tax websites are sending your data to Facebook, and cops take down a big phone-number-spoofing operation.

Cybersecurity startup Corellium offered or sold its software to spyware and hacking-tool creators in multiple repressive countries, a WIRED investigation revealed this week. A previously unreported 507-page document, believed to have been prepared by Apple, details how Corellium offered a trial of its products to the controversial spyware firm NSO Group, to a cybersecurity company with ties to the UAE government, and to a firm in China that also has government links. In response, Corellium, which makes phone-virtualization software that can help find security bugs in iOS and Android, published a blog post detailing how it now vets potential customers.

As millions of people across the US celebrated Thanksgiving and attended parades, we looked at the US shortage of bomb-sniffing dogs. Experts say the pandemic has led to a drop in the supply of dogs in the country—85 to 90 percent of them come from overseas—and that the lack of trainer animals is fueling national security concerns.

In other national security news, US lawmakers are calling for stricter rules on autonomous vehicles (AVs), which are able to gather reams of real-time data about their environment. China is a chief concern. In a letter shared exclusively with WIRED, Republican congressman August Pfluger said, “AV technology has opened the door for a foreign nation to spy on American soil, as Chinese companies potentially transfer critical data to the People’s Republic of China.”

We also looked at how hidden data stored in PDF files helped researchers reveal names that had been redacted. Court filings, national security files, and responses to Freedom of Information Act requests have all exposed such information in this way. And we heard the cautionary tale of how one person lost $17,000 in crypto—and how you can avoid the same fate. 

Finally, we published part five of the series “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the downfall of AlphaBay, the world’s largest dark-web marketplace. In this installment, investigators in Thailand swoop in on AlphaBay’s mastermind, Alexandre Cazes, and discover he had a fortune topping $20 million. 

But wait, there’s more! Each week, we highlight news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Apple’s privacy policy for analytics services on its devices, which gather data about how you use its products, claims the information collected isn’t used to identify you. However, a new analysis of the tools, reported by Gizmodo, claims a permanent ID number within the service is “tied to your full name, phone number, birth date, email address and more.” This ID number is sent to Apple alongside the analytics data about how you use your device, researchers from the software company Mysk told the publication. 

The findings appear to contradict the company’s privacy promises. Apple did not answer Gizmodo’_s_ questions on the report. In recent years, Apple has pushed a pro-privacy stance, using it as an advantage over competitors, and it has run ads saying the data on people’s iPhones stays on their devices. However, experts have increasingly questioned some of Apple’s practices. (At the same time, Apple has been growing its advertising business.) In separate research published earlier in November, Mysk researchers claimed that Apple collects detailed information on people using its products through its own apps, even when they turn tracking off.

In June, the UK government approved the extradition of WikiLeaks founder Julian Assange to the United States. While Assange waits on an appeal in the case, the website he created is falling apart. At one point, WikiLeaks hosted more than 10 million leaked documents. However, according to an analysis by the Daily Dot, fewer than 3,000 of the files are now available. Aside from the drop-in documents, the website also has technical issues: It is frequently inaccessible, people have problems searching its content, and parts of its navigation have vanished. 

Meta’s Pixel, formerly known as the Facebook Pixel, is a snippet of code that websites can install to track their visitors. The tool is useful for advertisers. Millions of websites use the tracking tool, and the data is sent back to Meta. This week, The Markup revealed that major US tax websites are using the Pixel and sending financial information to Meta. Some of the data transferred includes names, email addresses, income information, and tax filing status. Some tax websites stopped using Meta’s Pixel following the report. A spokesperson for Meta, Dale Hogan, said that advertisers “should not send sensitive information” about people through its tools. 

And finally, in a major blow to scammers, an international police operation took down the iSpoof website, which let people disguise their phone numbers and show fake caller IDs when making phone calls. It’s estimated that people using iSpoof were contacting up to 20 people every minute of the day as they used false identities to try and trick people into handing over their money. One person was tricked out of £3 million ($3.6 million), reports say. The website now shows a notice saying it has been seized by the FBI and United States Secret Service. In total, 142 people were arrested in the operation, including the alleged administrator of the website, who was arrested in the UK. Police from the UK, US, Ukraine, France, Germany, and five other countries were involved.

Tag

#ios